don't use encrypt to self (Re: legislating the impossible?)

[Adam Back]

Ian writes:
> If you send me a message encrypted to me and you, and I leave the
> ciphertext on my disk thinking it's only accessible by me, I'm
> wrong. It is as vulnerable to compromise of your key as it is mine.

Even if I delete the ciphertext from my disk it's still vulnerable
because the sender probably has had the same key since 1993 and has no
plans to change the key any time soon, whereas my keys are expired
every month, and the attacker can easily archive ciphertexts passing
over the internet.

> David Parkinson writes:
> > I'll admit it does send another copy of the session key,
> > but this has been encrypted with _your_ public key.  Is this really
> > a problem?

Lets state that more clearly: if people who have long term encryption
keys (lifetime: years, to decades) send me messages encrypted with
`encrypt to self' it removes the security I obtain by having short
lived encryption keys (on those messages).

Further the practice of using encrypt to self prevents one from having
short lived encryption keys, because the functions of archiving (need
keys to last a long time) and communications security (need keys to
last as short a time as practical) are combined.

Adam